公开(公告)号：AT378645T

公开(公告)日：2007-11-15

申请号：AT05112266

申请日：2005-12-15

Applicant: IBM

Inventor： FALOLA DOLAPO ,  HINTON HEATHER MARIA ,  MILMAN IVAN MATTHEW ,  MORAN ANTHONY SCOTT ,  WARDROP PATRICK RYAN

IPC: G06F21/00 ,  H04L29/06

Abstract: The invention provides federated functionality within a data processing system by means of a set of specialized runtimes. Each of the plurality of specialized runtimes provides requested federation services for selected ones of the requestors according to configuration data of respective federation relationships of the requestors with the identity provider. The configuration data is dynamically retrieved during initialization of the runtimes which allows the respective runtime to be specialized for a given federation relationship. Requests are routed to the appropriate specialized runtime using the first requestor identity and the given federation relationship. The data which describes each federation relationship between the identity provider and each of the plurality of requestors is configured prior to initialization of the runtimes. Configuration data is structured into global specified data, federation relationship data and requestor specific data to minimize data change, making the addition or deletion of requestors very scalable.

公开(公告)号：DE60130037D1

公开(公告)日：2007-09-27

申请号：DE60130037

申请日：2001-10-25

Applicant: IBM

Inventor： HINTON HEATHER MARIA ,  WINTERS DAVID JOHN

IPC: G06F21/33 ,  G06F21/41 ,  H04L29/06

Abstract: A method, system, or computer program product is presented for cross-domain, single-sign-on, authentication functionality. The methodology uses an introductory authentication token to introduce an already authenticated user from one domain to a new domain. This token is passed from one domain to the other domain using HTTP-redirection. This token is protected by encryption with a cryptographic key shared only between the two domain in a secure manner such that an external user cannot generate a counterfeit introductory token. An introductory token is further protected by enabling it with a limited lifetime so that an unauthorized user would not be able to use or reuse the introductory token within the token s lifetime. After a user has been introduced to a new security domain, then all of the user's resource requests are authorized by the new domain.

公开(公告)号：CA2633311A1

公开(公告)日：2007-06-21

申请号：CA2633311

申请日：2006-12-13

Applicant: IBM

Inventor： HINTON HEATHER MARIA ,  MORAN ANTHONY SCOTT

IPC: H04L29/06 ,  H04L29/08

公开(公告)号：AT341146T

公开(公告)日：2006-10-15

申请号：AT03735666

申请日：2003-06-24

Applicant: IBM

Inventor： HINTON HEATHER MARIA

IPC: G06F21/20 ,  G06Q20/38 ,  G06Q30/06 ,  H04L9/32 ,  H04L29/06

Abstract: A method, system, or computer program product is presented for cross-domain, single-sign-on, authentication functionality. A user may contract with one or more authentication service providers (ANSPs). E-commerce service providers (ECSPs), such as online banks or online merchants, also maintain a relationship with an ANSP such that the ECSP can trust the authenticated identity of a user that is vouched-for by the ANSP on behalf of the user. The user can visit any e-commerce service provider in a federated environment without having to establish an a priori relationship with that particular ECSP. As long as the ECSP's domain has a relationship with at least one of the user's authentication service providers, then the user will be able to have a single-sign-on experience at that ECSP.

公开(公告)号：CA2918009C

公开(公告)日：2020-02-18

申请号：CA2918009

申请日：2013-01-29

Applicant: IBM

Inventor： HINTON HEATHER MARIA ,  MCCARTY RICHARD JAMES ,  LOONEY CLIFTON

IPC: H04L12/24 ,  H04L12/16 ,  H04L29/06

Abstract: A proxy is integrated within an F-SSO environment and interacts with an external identity provider (IdP) instance discovery service. The proxy proxies IdP instance requests to the discovery service and receives responses that include the IdP instance assignments. The proxy maintains a cache of the instance assignment(s). As new instance requests are received, the cached assignment data is used to provide appropriate responses in lieu of proxying these requests to the discovery service, thereby reducing the time needed to identify the required IdP instance. The proxy dynamically maintains and manages its cache by subscribing to updates from the discovery service. The updates identify IdP instance changes (such as servers being taken offline for maintenance, new services being added, etc.) occurring within the set of geographically-distributed instances that comprise the IdP service. The updates are provided via a publication-subscription model such that the proxy receives change notifications proactively.

公开(公告)号：MX2009012529A

公开(公告)日：2009-12-03

申请号：MX2009012529

申请日：2008-05-08

Applicant: IBM

Inventor： ANGWIN ALASTAIR JOHN ,  HINTON HEATHER MARIA ,  POZEFSKY MARK

IPC: H04L29/06

Abstract: Un identificador del dispositivo móvil (tal como un MSISDN), que acompaña típicamente la petición de un dispositivo móvil, es reemplazado por un identificador "enriquecido" que expone el operador doméstico del usuario del dispositivo móvil, pero oculta la identidad del dispositivo móvil (y, de este modo, el usuario del dispositivo). En una modalidad, el identificador incluye una primera parte, y una segunda parte. La primera parte incluye una cadena de datos que identifica (ya sea directamente o a través de una búsqueda de base de datos) el operador doméstico del usuario del dispositivo móvil. Sin embargo, la segunda parte es una cadena opaca de datos, tal como un identificador único de un solo uso (UID, por sus siglas en ingles) o un valor que es derivado de otra manera como una función del MSISDN (o un identificador semejante). La cadena opaca de datos codifica la identidad del dispositivo móvil de manera que preferentemente puede recuperarse sólo por el operador doméstico del usuario (o una entidad autorizada para ello). Cuando el usuario del dispositivo móvil se mueve hacia una red externa, esta red recibe el identificador enriquecido en lugar de un MSISDN. La red externa utiliza la primera parte para identificar la red doméstica del usuario del dispositivo móvil, por ejemplo, para determinar sí se permite el acceso solicitado (o sé provee algún otro servicio de valor agregado). No obstante, la red externa no puede decodificar la segunda parte; de este modo, la identidad del dispositivo móvil (así como la identidad del usuario del dispositivo móvil) permanece obscura. Esto asegura que la privacidad del usuario es mantenida, mientras se previene que terceros constituyan un perfil del dispositivo en base a las peticiones que incluyen el MSISDN o un identificador similar.

公开(公告)号：DE602005003314D1

公开(公告)日：2007-12-27

申请号：DE602005003314

申请日：2005-12-15

Applicant: IBM

Inventor： FALOLA DOLAPO MARTIN ,  HINTON HEATHER MARIA ,  MILMAN IVAN MATTHEW ,  MORAN ANTHONY SCOTT ,  WARDROP PATRICK RYAN

IPC: G06F21/00 ,  H04L29/06

Abstract: The invention provides federated functionality within a data processing system by means of a set of specialized runtimes. Each of the plurality of specialized runtimes provides requested federation services for selected ones of the requestors according to configuration data of respective federation relationships of the requestors with the identity provider. The configuration data is dynamically retrieved during initialization of the runtimes which allows the respective runtime to be specialized for a given federation relationship. Requests are routed to the appropriate specialized runtime using the first requestor identity and the given federation relationship. The data which describes each federation relationship between the identity provider and each of the plurality of requestors is configured prior to initialization of the runtimes. Configuration data is structured into global specified data, federation relationship data and requestor specific data to minimize data change, making the addition or deletion of requestors very scalable.

公开(公告)号：CA2633313A1

公开(公告)日：2007-06-21

申请号：CA2633313

申请日：2006-12-13

Applicant: IBM

Inventor： HINTON HEATHER MARIA ,  MILMAN IVAN MATTHEW ,  HARMON BENJAMIN BREWER ,  VANDENWAUVER MARK ,  MORAN ANTHONY SCOTT

IPC: H04L29/08 ,  G06F17/30

Abstract: A method for externalizing message handling within a data processing system is presented. A request (412) to access a resource (406) is received at a first server (404) from a client (402). In response to determining at the first server that processing of the request requires a message to be sent to the client, a redirect message (416) is generated that contains an operation code that corresponds to message handling functionality at a second server (418) for the message to be sent to the client. A configurable macro is evaluated to determine an evaluated macro, and the evaluated macro is inserted into the redirect message. The redirect message is then sent from the first server to the second server via the client. The second server extracts the operation code from the redirect message and invokes the message handling functionality that corresponds to the extracted operation code. The second server extracts the evaluated macro from the redirect message and employs the evaluated macro at the second server as an input parameter for the message handling functionality.

公开(公告)号：AU2003238031A1

公开(公告)日：2004-01-19

申请号：AU2003238031

申请日：2003-06-24

Applicant: IBM

Inventor： HINTON HEATHER MARIA

IPC: G06F21/20 ,  G06Q20/38 ,  G06Q30/06 ,  H04L9/32 ,  H04L29/06

Abstract: A method, system, or computer program product is presented for cross-domain, single-sign-on, authentication functionality. A user may contract with one or more authentication service providers (ANSPs). E-commerce service providers (ECSPs), such as online banks or online merchants, also maintain a relationship with an ANSP such that the ECSP can trust the authenticated identity of a user that is vouched-for by the ANSP on behalf of the user. The user can visit any e-commerce service provider in a federated environment without having to establish an a priori relationship with that particular ECSP. As long as the ECSP's domain has a relationship with at least one of the user's authentication service providers, then the user will be able to have a single-sign-on experience at that ECSP.

公开(公告)号：CA2633311C

公开(公告)日：2015-05-26

申请号：CA2633311

申请日：2006-12-13

Applicant: IBM

Inventor： HINTON HEATHER MARIA ,  MORAN ANTHONY SCOTT

IPC: H04L29/06 ,  H04L29/08

Abstract: Methods, systems, and computer program products are disclosed that give entities flexibility to implement custom authentication methods of other entities for authentication of a principal in a federation by authenticating the principal by an identity provider according to a service provider's authentication policy and recording in session data of the identity provider an authentication credential satisfying the service provider's authentication policy. Authentication of a principal in a federation is also carried out by authenticating the principal by the identity provider according to an identity provider's authentication policy. Authentication of a principal in a federation is further carried out by receiving in the identity provider an authentication request from the service provider, the authentication request specifying the service provider's authentication policy.